dil_bert Posted February 26, 2020 Share Posted February 26, 2020 (edited) hello dear experts at phpfreaks i hope you are well and everything goes all right today i have a question regarding the creation of a SSL-Certificate. note: i am fairly new to the process of generating a SSL-certificate ....: Is it possible to do self signed certification a website without domain name? to shed a light i have gathered some information: i have read some documentations and sumarize it here - trying to find out the information that helps me to answer the question. i have gathered some infos here at: https://www.openssl.org/ and at stackoverflow - see below OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions. Quote Legalities Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention to any laws or regulations which apply to you. The authors of OpenSSL are not liable for any violations you make here. So be careful, it is your responsibility. ssl certificate without domain name the downloads: https://www.openssl.org/source/ The master sources are maintained in our git repository, which is accessible over the network and cloned on GitHub, at https://github.com/openssl/openssl. Bugs and pull patches (issues and pull requests) should be filed on the GitHub repo. Please familiarize yourself with the license. The table below lists the latest releases for every branch. (For an explanation of the numbering, see our release strategy.) All releases can be found at /source/old. A list of mirror sites can be found here. Note: The latest stable version is the 1.1.1 series. The question is: Is it possible to do self signed certification a website without domain name? I have read that we can do this with the servicelet'sencrypt.org: it seems so that it does not issue certificate for having no domain name. i have heard about various options and methods: a. - getting a certificate from LetsEncrypt that would be trusted by most of the browsers that are out there: preliminaries: we need a domain that resolves to our server. - LetsEncrypt does not issue certs for IP-addresses nor for custom dev-domains like .local. and the like. secondly: We - of course are also able to create and sign a certificate ourself, for every domain name we want, or even for IP addresses. The domain name can be anything, and doesn't necessarily be the one we use to access the site. In this case i guess that the webserver won't mind here. But that said i can imagine that our browser will display a whole bunch of warnings and will throw lots of errors, though (CN mismatch and things alike, non-trusted signature and other things more), but if we just skip/ignore those kind of warnings and messages then subesquently we can access the site via HTTPS. the creation process: How to create a self-signed certificate with OpenSSL i am on Linux and i guess that we can do this on console: It's fairly easy to create a self-signed certificate on linux. If we are on Linux we just use the openssl req command. It can be tricky to create one that can be consumed by the largest selection of clients that aree browsers and command line tools too. The many browsers out there have their own set of requirements, therfore it may be a bit difficult - some browsers are more restrictive than the IETF. The requirements used by browsers are documented at the CA/Browser Forums (see references below). The restrictions arise in two key areas: (1) trust anchors, and (2) DNS names. so the creation-process can have the following steps - according this documentation taken from here: ttps://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html Procedure To generate a self-signed SSL certificate using the OpenSSL, complete the following steps: Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wild-card, for example: *.api.com. Otherwise, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com). Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted. openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pemCopy Review the created certificate: openssl x509 -text -noout -in certificate.pemCopy Combine your key and certificate in a PKCS#12 (P12) bundle: openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12Copy Validate your P2 file. openssl pkcs12 -in certificate.p12 -noout -info Here are the options described in more detail, from the documentation at https://www.openssl.org/docs/manmaster/man1/req.html note: the documentation is actually much more detailed than the following notes; I just summarized it here: openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX req PKCS#10 certificate request and certificate generating utility. -x509 this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. -newkey arg this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. -keyout filename this gives back the filename to write the newly created private key to. -out filename This specifies the output filename to write to or standard output by default. -days n when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days. -nodes if this option is specified then if a private key is created it will not be encrypted. The documentation from the documentation at https://www.openssl.org/docs/manmaster/man1/req.html is actually more detailed than the above; I just summarized it here. As of 2020, the following command serves all our needs, including SAN: cf https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/10176685#10176685 In OpenSSL ≥ 1.1.1, this can be shortened to: openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout example.key -out example.crt -subj "/CN=example.com" \ -addext "subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1" It creates a certificate that is: valid for the domains example.com and example.net (SAN), also valid for the IP address 10.0.0.1 (SAN), relatively strong (as of 2020) and valid for 3650 days (~10 years). It creates the following files: Private key: example.key Certificate: example.crt All information is provided at the command line. There is no interactive input that annoys you. There are no config files you have to mess around with. All necessary steps are executed by a single OpenSSL invocation: from private key generation up to the self-signed certificate. Remark #1: Crypto parameters Since the certificate is self-signed and needs to be accepted by users manually, it doesn't make sense to use a short expiration or weak cryptography. In the future, you might want to use more than 4096 bits for the RSA key and a hash algorithm stronger than sha256, but as of 2020 these are sane values. They are sufficiently strong while being supported by all modern browsers. Remark #2: Parameter "-nodes" Theoretically we could leave out the -nodes parameter (which means "no DES encryption"), in which case example.key would be encrypted with a password. However, this is almost never useful for a server installation, because you would either have to store the password on the server as well, or you'd have to enter it manually on each reboot. openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ -keyout example.key -out example.crt -extensions san -config \ <(echo "[req]"; echo distinguished_name=req; echo "[san]"; echo subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1 ) \ -subj "/CN=example.com" the question is: Is it possible to do self signed certification a website without domain name? I have read that we can do this with the servicelet'sencrypt.org: it seems so that it does not issue certificate for having no domain name. i have heard about various options and methods that i have described above. look forward to hear from you regards ... taken from here: https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html Edited February 26, 2020 by dil_bert Quote Link to comment https://forums.phpfreaks.com/topic/310141-how-to-create-a-self-signed-certificate-with-openssl/ Share on other sites More sharing options...
requinix Posted February 26, 2020 Share Posted February 26, 2020 You can generate a self-signed cert just for the webserver if you want, but every browser will warn you about it (though they'll allow you to continue anyways). Let's Encrypt is for a publicly accessible website with a proper domain name and DNS setup. Quote Link to comment https://forums.phpfreaks.com/topic/310141-how-to-create-a-self-signed-certificate-with-openssl/#findComment-1574931 Share on other sites More sharing options...
gizmola Posted February 26, 2020 Share Posted February 26, 2020 5 minutes ago, requinix said: You can generate a self-signed cert just for the webserver if you want, but every browser will warn you about it (though they'll allow you to continue anyways). Let's Encrypt is for a publicly accessible website with a proper domain name and DNS setup. +1 for Let's Encrypt. Much better solution and a *real* cert that browser's recognize and accept. Quote Link to comment https://forums.phpfreaks.com/topic/310141-how-to-create-a-self-signed-certificate-with-openssl/#findComment-1574932 Share on other sites More sharing options...
requinix Posted February 26, 2020 Share Posted February 26, 2020 Reminder: these forums use Let's Encrypt certs. They last for 3+ months and we have a cronjob that automatically renews when needed. A free cert that I never have to worry about expiring and renewing by myself is amazing. 1 Quote Link to comment https://forums.phpfreaks.com/topic/310141-how-to-create-a-self-signed-certificate-with-openssl/#findComment-1574935 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.